Encrypting/Decrypting passwords

mdrisser · May 6, 2013, 4:20pm

I know that simply encrypting and decrypting passwords in a script is as bad as storing them in plain text, but I've been searching for an answer to this for a few days now, and haven't found an answer that fits the problem I'm having.

Here's the scenario. I'll give more details than I think may be relevant, just in case...

I have a VMware Management Assistant machine running SuSE Enterprise 11, which in turn is talking to an APC UPS. When the UPS goes to battery power it is set to run a script that will gracefully shutdown the VMware virtual machines running on an ESXi cluster. In order to do this the script needs to be able to automatically login to the ESXi machines using a local (to the ESXi machines) username/password combo.

I've written the script to handle the shutdowns in Perl using VMware's API, but the username/password issue has me stumped. Prompting for a password won't work as I need it to run automatically (what happens if the power goes out and no one is around to enter the password?).

I'm at quite a loss as to how to handle this situation. I know I could hash the password using something like Authen::Passphrase::BlowfishCrypt, but how would I then pass it to the ESXi host for the login? Am I maybe approaching this whole thing from the wrong direction, or is there a solution that I'm just not seeing?

Thanks in advance for your help.

hanson44 · May 6, 2013, 4:52pm

There are widely used ways to automatically and securely log into remote systems using public and private keys that are stored in files. It's been a while, so I don't remember the details, but I used ssh-keygen to set it up, and there are many tutorials to show how to do it. Perhaps that might work for you, if it's compatible with your situation and you have not already tried it.

fpmurphy · May 6, 2013, 10:43pm

Have you looked at vCLI (vSphere command Line Interface)? The vicfg-hostops interface can do what you are looking to do.

vicfg-hostops [<conn_options>]
       [--action [suspend|poweroff] |
        --cluster |
        --datacenter |
        --force |
        --operation [enter | exit | shutdown | reboot | info] ]

mdrisser · May 7, 2013, 11:21am

@hanson44 - Thanks, I'll have to check into that, I had completely forgotten about ssh-keygen, been in the Windows world for too long.

@fpmurphy - Thanks for the pointer to vCLI, it looks like that may be just the ticket, once I figure out how to use the credstore.